Symantec blames Lazarus for malware targeting banks in 31 countries

Banks and financial institutions in 30 countries are being targeted, possibly by the Lazarus Group, in a new round of watering hole attacks.

That’s according to a Symantec blogpost which – based on similarities in code used in the recent attacks and those that have previously been attributed to the group – blames the attack on Lazarus.

The Lazarus group is reportedly based in North Korea and is thought to be responsible for the November 2014 wiper attack against Sony Pictures Entertainment.

In the recent banking attacks, a number of pre-selected targets have been infected with the malware. “The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets,” said the Symantec researchers.

The campaign was first detected after a bank in Poland found the previously unseen malware on its system and shared the indicators of compromise (IOCs) with other institutions, which soon realised they’d also been infected.

The attack is believed to have originated at the website of the Polish financial sector regulatory body, Polish Financial Supervision Authority.

Indications are that the criminals behind the campaign are exploiting infected websites to redirect victims to a customized exploit kit, which the researchers explained is coded to infect 150 different IP addresses belonging to 104 organizations in 31 countries, predominantly banks, with a few telecoms and internet firms as well.

The malware in this latest campaign (Downloader.Ratankba), a trojan horse that delivers malicious files to infected computers, was previously unknown, although analysis is still underway.

The Ratankba malware was seen connecting with eye-watch[.]in for command-and-control communications and then downloading a Hacktool. This Hacktool, the researchers stated, bears “distinctive characteristics shared with malware previously associated with Lazarus.”

The attack group Lazarus, active since at least 2009, is credited with a number of financial attacks on targets in the US and South Korea, as well as a Bangladesh bank.

“We have a weak link between the malware being used in this attack and Lazarus,” Eric Chien, technical director of Symantec Security Response, said this week. “Functionally, the samples recovered so far are functionally distinct. However, they do share code related to how they load APIs,” he said

All malware or applications make use of Windows functionality (APIs) and to make use of this functionality you need to ‘load’ these APIs, Chien explained. “They use the same obfuscated means of loading such APIs. You could imagine some actor deciding to copy that means. However, we do not see this method in historic widespread use. There is an additional reuse of code related to a self-deletion routine as well, but this is a very small piece of code.”

Interestingly in this case, said Chien, samples serve the same functional purpose to previous Lazarus attacks, but are not the same code. “So, their coding appears to have started from scratch for multiple binaries with the exception of the API loading routine and self-deletion code.”

If it is Lazarus, this means they have shifted their techniques and targets, Chien explained. The difference being that previous banking attacks focused on Asia, and now those behind this latest campaign created a target list of 100 banks all over the world, including in the U.S. Further, Chien said, the attackers are using watering hole techniques, which means they have to infect a website of interest to their victim. “It is one thing to infect any random website on the internet. It’s another to find and succeed in infecting multiple specific websites. This would represent an increase in sophistication,” Chien said.

All of these items – the increase in sophistication, increase in targets, non-reuse of binaries – would cause one to think that the group is actually not Lazarus, Chien said. “Equally however, Lazarus has historically never been predictable – from the Sony wipe attacks to attempting to steal $1 billion from the Bank of Bangladesh, which were quite different motivations. Right now, we do not have a hard link to Lazarus, but continue to investigate.”